4 Replies Latest reply on Nov 3, 2009 6:50 AM by mveerama

    Issue with AMT provisioning with internal (subordinate) ca

    giovannif

      Hello All,

      I’m trying to verify if SCCM 2007 SP1 can provision and manage Intel vPro clients

      if there are two Certification Authorities and AMT Provisioning certificate is issued by an Internal CA:

       

      Note:

      - I'm assuming that Intel supports this scenario

       

      1) Root Enterprise CA

      2) Subordinate Enterprise CA (this ca issues AMT Provisioning certificate and AMT Web Server Certificate)

       

      Both ca are Windows Server 2003 Enterprise SP2 based.

       

      This is my lab environments:

       

      ·         1 DC Windows Server 2003 SP2 based (this server is also Enterprise Subordinate CA)

      ·         1 Windows Server 2003  SP2 based (this server is also  an Enterprise Root CA)

      ·         1 SCCM 2007 SP1 Windows Server 2008 SP2 x86 based

      ·         1 client Windows Vista SP2 Enterprise based (no sccm agent installed)

       

      I would like to use out of band method.

       

      Notes:

      ·         SCCM request certificate to Enterprise Subordinate CA

      ·         In Windows Client I’ve added Enterprise Root CA thumbprint

      ·         Windows Vista client has been imported  into SCCM 2007 using Import Out of Band Computer

       

      SCCM 2007 can’t provision this computer.

       

      I've found this message in SCCM amtopmg.log:

      Description: A certificate is required to complete client authentication

       

      In attachment there is an extract from amtopmgr.log

      Has anybody any ideas ?

       

      Thanks in advance.

       

      Giovanni

        • 1. Re: Issue with AMT provisioning with internal (subordinate) ca
          giovannif

          Here is amtopmgr.log file:

           

          Incoming Connection from 10.0.0.11:49212.    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    3800 (0x0ED8)
          Incoming data is - Configuration version: PKI Configuration.    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    3800 (0x0ED8)
          Count  : 1    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    3800 (0x0ED8)
          UUID   : D0859608-B772-DD11-A847-0019992FC5E5    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    3800 (0x0ED8)
          Found matched hash from hello message with current provision certificate. (Hash: C4A82DCC1EAC529E254ADEEA4650238E733FBCF5)    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    3800 (0x0ED8)
          ** Requesting AMT Discovery - Source,Custom,IPV4Address,10.0.0.11,NetBios,vprocl11, **    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    3800 (0x0ED8)
          Successfully created instruction file for AMT Discovery.    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    3800 (0x0ED8)
          Warning: AMT device D0859608-B772-DD11-A847-0019992FC5E5 has not been discoveried by SMS or previously detected with NOT AMT capable machine. Send discovery instruction file.    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    3800 (0x0ED8)
          Waiting for incoming hello message from AMT devices...    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    3800 (0x0ED8)
          AMT Discovery Worker: Wakes up to process instruction files    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    2116 (0x0844)
          AMT Discovery Worker: Reading Discovery Instruction E:\Program Files\Microsoft Configuration Manager\inboxes\amtopmgr.box\disc\{1DF73945-7ACA-49C8-B53A-404D79B7F99E}.DSC...    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    2116 (0x0844)
          AMT Discovery Worker: Execute query exec AMT_GetProvAccounts    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    2116 (0x0844)
          AMT Discovery Worker: Finish reading discovery instruction E:\Program Files\Microsoft Configuration Manager\inboxes\amtopmgr.box\disc\{1DF73945-7ACA-49C8-B53A-404D79B7F99E}.DSC    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    2116 (0x0844)
          AMT Discovery Worker: Parsed 1 instruction files    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    2116 (0x0844)
          AMT Discovery Worker: There are 1 tasks in pending list    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    2116 (0x0844)
          AMT Discovery Worker: Send task  to completion port    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    2116 (0x0844)
          Auto-worker Thread Pool: Current size of the thread pool is 1    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    2116 (0x0844)
          AMT Discovery Worker: 1 task(s) are sent to the task pool successfully.    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    2116 (0x0844)
          STATMSG: ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=SRV01 SITE=V01 PID=3068 TID=2116 GMTDATE=mar nov 03 11:36:04.989 2009 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    2116 (0x0844)
          AMT Discovery Worker: Wait 20 seconds...    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    2116 (0x0844)
          AMT Discovery Worker: Wakes up to process instruction files    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    2116 (0x0844)
          AMT Discovery Worker: Wait 20 seconds...    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    2116 (0x0844)
          AMT Discovery Worker: Wakes up to process instruction files    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    2116 (0x0844)
          AMT Discovery Worker: Wait 20 seconds...    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.04    2116 (0x0844)
          Auto-worker Thread Pool: Work thread 2856 started    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.05    2856 (0x0B28)
          CAMTDiscoveryWSMan::DoConnectToAMTDevice: Failed to establish tcp session to 10.0.0.11:16992.    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.06    2856 (0x0B28)
          Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          **** Error 0x308b280 returned by ApplyControlToken    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          **** Error 0x308b280 returned by ApplyControlToken    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          **** Error 0x308b280 returned by ApplyControlToken    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          session params : https://vprocl11:16993   ,  11001    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          ERROR: Invoke(get) failed: 80020009argNum = 0    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          Description: A certificate is required to complete client authentication    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          Error: Failed to get AMT_SetupAndConfigurationService instance.    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          session params : https://vprocl11:16993   ,  11001    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          ERROR: Invoke(get) failed: 80020009argNum = 0    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          Description: A certificate is required to complete client authentication    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          Error: Failed to get AMT_SetupAndConfigurationService instance.    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          session params : https://vprocl11:16993   ,  11001    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          ERROR: Invoke(get) failed: 80020009argNum = 0    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          Description: A certificate is required to complete client authentication    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          Error: Failed to get AMT_SetupAndConfigurationService instance.    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          CSMSAMTDiscoveryTask::Execute - DDR written to E:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          Auto-worker Thread Pool: Succeed to run the task . Remove it from task list.    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.11    2856 (0x0B28)
          AMT Discovery Worker: Wakes up to process instruction files    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.24    2116 (0x0844)
          AMT Discovery Worker: Wait 3600 seconds...    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.24    2116 (0x0844)
          Auto-worker Thread Pool: Work thread 2856 has been requested to shut down.    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.51    2856 (0x0B28)
          Auto-worker Thread Pool: Work thread 2856 exiting.    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.51    2856 (0x0B28)
          Auto-worker Thread Pool: Current size of the thread pool is 0    SMS_AMT_OPERATION_MANAGER    03/11/2009 12.36.51    3232 (0x0CA0)

          • 2. Re: Issue with AMT provisioning with internal (subordinate) ca
            mveerama

            Did you have a chance to review these Technet articles.  Yes it is possible to issue provision cert from Internal CA.

             

            AMT Provisioning Certificate (Used for Provisioning)
            Determine 3rd party or Self Generated
            3rd Party CA (Verisign, Godaddy, Comodo, Starfield)
            Self Generated from Internal PKI infrastructure
            Export Cert for SCCM / WS-MAN Translator in later configuration step
            Web Server Certificate (AMT TLS Cert)
            Create New Web server Template
            Recommend certificate name: ConfigMgr AMT Web Server Certificate
            Primary site server computer account (SCCM SP1 Server) must have Full Control permissions

            • 3. Re: Issue with AMT provisioning with internal (subordinate) ca
              giovannif

              Hello Mohan,

              in the previous lab I've setup an internal ca which issued amt certificate and it works.

               

              Note: that ca was also root ca in that env.

               

              Now I would like to understand if it is possible and is supported to make a lab where there are two ca:

              - first one is root ca

              - second one is subordinate ca and this ca release AMT certs..

               

              Giovanni

              • 4. Re: Issue with AMT provisioning with internal (subordinate) ca
                mveerama

                yes, it is possible and I have done that.  You need to install the subCA.  I had my CA on the domain controller and my subCA on the SCCM SP1 server and the corresponding templates created with site server full control permission.  in hte OOB management component you need to point to the CA for the web server template.  I have not done issuing internal provision certificate from SubCA but I would think that also should work.